Security flaw in India Post server revealed by researcher

French security researcher Robert Baptiste who goes by Elliot Anderson on Twitter has been revealing cybersecurity flaws in the Indian scene for a while now. This time, he has reported a vulnerability on the India Post server that allows remote code execution.

Baptiste has in fact reported this flaw in place of an Indian researcher who chose to remain anonymous because of legal implications in face of Indian law.

The subdomain of India Post — digitization.indiapost.gov.in — was vulnerable to an Apache vulnerability i.e. CVE 2017-5638. It meant that the attacker would be able to run code on India Post server, as shown below:




The flaws led to exposed bank details of employees as well as databases of sensitive information. He posted several screenshots of the files he was able to access by exploiting the flaw.


He also revealed that he was not the first person to exploit these flaws and posted screenshots that show activity from almost a year ago on 14th April, 2017.


The vulnerability has since been fixed, leading to Elliot Anderson tweeting out the details of this recent hack.




Jharkhand Police launch Responsible Disclosure


Good News to Bug Hutners - Jharkhand Police's Cyber Defence Research Center(CDRC) launched a facility for Responsible disclosure. 

One of the major issues faced by Bug hunters after finding a vulnerability in a website is a safe method to disclose vulnerabilities.

Usually, Researchers get frustrated about the lack of action by the organization when they report a vulnerability.  Sometimes, Organization will horrify researchers with a legal notice on you and accuse you of all sorts of cyber crimes.

To make an end to these issues, the Jharkhand Police has launched a service where security researchers can submit their vulnerability finding.

CDRC will contact the organization on behalf of you and help them to correct the reported security flaw.

You can use this service for reporting vulnerability in websites of any Indian Ministry , public/private organization or Government department.

You can submit your vulnerability finding here:
http://cdrc.jhpolice.gov.in/responsible-disclosure-submission/

Researchers should really thank Jharkhand Police for creating such a wonderful service to help security researchers and organization.